Skip to content

System configuration

The System configuration page provides information relating to Osirium PAM and allows you to configure a number of different settings.

The following tabs are available:

Licencing tab

The licencing page provides an overview of the licence you have bought and the features that have been activated as part of your licence.

It can help you manage your allowance limits against your current configurations and when you are in need of an upgrade to your licence limits.

Licencing tab

The following information is presented on the page:

Heading Description
Product usage Osirium PAM version: The version that has been installed and is currently running.

Users: Displays the total number of created user accounts against the total number of allowed user accounts.

The support account and the first SuperAdmin accounts will not be included in this count.

Devices: Displays the total number of provisioned devices managed by against the total number of allowed devices. The PAM Server device will not be included in this count.

MAP servers: Displays the total number of provisioned MAP Servers used with Osirium PAM against the total number of allowed MAP Servers.

Cluster nodes: Displays the total number of provisioned cluster nodes against the total number of allowed cluster nodes.

Enabled features Features available under this licence are displayed here, which may include:
MAP servers
Session recording
Service accounts
Change tickets
Device group separation
Active licence(s) Licencee: Name of the organisation or individual which the licencing has been assigned to.

Expiry: The date/time the license is due to expire.

Licence limits

When a licence total for Users, Devices or MAP Servers has been reached, if you attempt to add more, a message will be displayed stating that the licence limit has been met.

When the cluster nodes licence total has been reached, the DOWNLOAD CLUSTER JOINING BUNDLE will no longer be available, preventing any further nodes being added.

Licence expiration

When a licence is within 30 days of expiry a countdown warning message will appear in the banner on the Admin Interface.

A licence will expire at midday UTC of the expiry date. Once expired:

  • The only access available to Osirium PAM will be to the product licencing upload page on the Admin Interface.
  • Only the PAM Server will be displayed in the Device list. All other device tasks will be hidden.

If a new licence is uploaded before the current licence has expired, the existing licence will be superceded by the new licence.

Uploading a license

To load a licencing:

  1. Click the LOAD NEW LICENCE button. A Question window opens.

  2. Click YES to proceed.

  3. Within the Upload licence window, click Choose File.

    Upload Licence

  4. Within the File upload page navigate to and select a valid Osirium PAM licence file.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

  5. Within the Upload licence window, click UPLOAD. The new licencing file will be loaded. The licencing information is updated to reflect any changes.

Certificates tab

By default, Osirium PAM provides a generic certificate to allow secure web connections to the UI and Admin Interface. On this page you will see information about the current certificate that is being used.

We recommend that you upload a trusted certificate valid within your organisation.

Certificates are used to protect the data being sent between Osirium PAM by encrypting the data before it is sent and then decrypting the data when it reaches its destination.

Certificates tab

Upload a certificate

To upload a new certificate:

  1. On the Certificates tab, click LOAD NEW CERTIFICATE.

  2. In the Upload TLS Certificate window, upload your trusted certificate and RSA private key. Both are required for a successful upload.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

    TLS Certificate: Uploaded certificates will be verified to ensure they are an X.509 certificate with a .pem file format.

    RSA Private Key: Uploaded keys are verified to ensure they are an rsa key with a .key file format. Passwords/passphrase are NOT supported on the the rsa key.

    Upload Certificate

  3. Click UPLOAD. The certificate is uploaded.

Fingerprints tab

Fingerprints help guard against man-in-the-middle attacks on devices, in which attackers can secretly redirect network traffic between Osirium PAM and the device to monitor and manipulate the flow of information.

Fingerprints tab

When a device is deployed on Osirium PAM, a fingerprint is generated which Osirium PAM associates with the device. When connecting, Osirium PAM checks that the fingerprint of the device matches the fingerprint Osirium PAM associated with that device. By default, if the device fingerprint is not approved, Osirium PAM notes the discrepancy in the Logs page, but does not block the connection.

Connection fingerprint enforcement behaviour

If you want Osirium PAM to block connections to devices with unapproved fingerprints, you can configure the Connection fingerprint enforcement behaviour.

To configure the Connection fingerprint enforcement behaviour:

  1. On the table, click the Edit pencil icon for Connection fingerprint enforcement behaviour. The Edit entry window appears.

    Edit entry value

  2. From the Value drop-down, select one of the following options.

    Value Details
    Log only - Osirium PAM allows connections to devices with unapproved fingerprints.
    - Connection details are logged in the Logs page on the Key Verifier tab.
    Block - Osirium PAM blocks connections to devices with unapproved fingerprints.
    - Users attempting the connection receive an error message.
    - Connection details are logged in the Logs page on the Key Verifier tab.
  3. Click SAVE. The Connection fingerprint enforcement behaviour value is applied.

Fingerprints table

The Fingerprints table allows you to select fingerprints to associate with designated devices. The following details are available:

Column Details
Device Provisioned device on your PAM Server.
Tool Tool the fingerprint is attached to.
Approved If selected Checked box , the fingerprint is associated with the corresponding device.
If deselected Unchecked box icon the fingerprint is not associated with the corresponding device.

You can configure the PAM Server to block connections to devices with unapproved fingerprints using the Connection fingerprint enforcement behaviour above.

Fingerprint The fingerprint generated for the device. The PAM Server generates fingerprints from the device SSH key or certificate.
First seen at The first time the PAM Server connected to, or ran a task on, the device.
Last seen at The last time the PAM Server connected to, or ran a task on, the device.

Clustering tab

On the clustering tab you will find information related to your clustered environment.

Clustering tab

Heading Details
Nodes Number of nodes: Includes the leader and all followers.
Addresses: FQDN or IP Address of all the nodes in the cluster.
Leader's address Address of the PAM Server that is the leader of the cluster.
Local address Address of the PAM Server you are logged into.
Local role The role (leader or follower) of the PAM Server you are logged into within the cluster.
Node status Database status provides a status of the database for the PAM Server you are connected to based on the following:

- Standalone: this PAM Server is operating as a standalone and therefore a cluster with a single node for which it is the leader. A standalone PAM Server can be configured to use the clustering feature by adding additional nodes using the cluster joining bundle. The correct licence will be required to enable clustering.

- Clustered: there is more than one PAM Server which has a minimum of a leader node and a follower node. Data is replicated between the nodes.

- Unknown: the cluster service is unable to retrieve data from the back-end services of this node.

Key-Value store provides a status on the accessibility of node related data and provides a status based on the following:

- Standalone: this PAM Server is operating as a standalone and therefore a cluster with a single node for which it is the leader. A standalone PAM Server can be configured to use the clustering feature by adding additional nodes using the cluster joining bundle. The correct licence will be required to enable clustering.

- Clustered: there is more than one PAM Server which has a minimum of a leader node and a follower node. The node will make a connection to each node in the cluster to access specific data.

- Unknown: the cluster service is unable to retrieve data from the back-end services of this node.

Cluster status This section relates to the state of your entire cluster. The following states will be displayed based on the response received from the checks carried out by the cluster service:

Database provides a status of the database for each node in the cluster. Each node subscribes to every other node, each node then publishes its database tables to the subscribers. Each subscriber is then notified when a change occurs on a node and receives the updates. This ensures configuration data is synchronised and kept up-to-date between all the nodes.

The status is assigned as follows:

- Healthy: each node in the cluster can be contacted successfully.

- Partitioned: local node is considered as having issues.

- Degraded: this node is unable to stream to a node. This could be due to network issues or the node being taken off line.

Key-Value store provides a status on the accessibility of node related data for each node in the cluster. The cluster service connects to each node in the cluster and a status is assigned as follows:

- Healthy: each node in the cluster can be contacted successfully.

- Partitioned: local node is considered as having issues.

- Degraded: other nodes in the cluster are not contactable, this could be due to network issues or issues with services on the node itself.

Cluster joining bundle

The cluster joining bundle is required during the setup and configuration phase of the installation process and only available for download from the cluster leader node.

The bundle should only be downloaded when required as they will only be valid for 24 hours from the time of download or until the next bundle is downloaded.

A separate cluster joining bundle is required to join each PAM Server follower node to an existing cluster. The cluster joining bundle contains the following:

  • Configured address of the cluster leader node during installation (IP address or FQDN).
  • Client certificate that is used to make a connection identification and verification between the leader node and follower node. The certificate is revoked once the identification has been made.
  • Public half of the certificate authority so that the cluster may trust it.
  • Ability to generate a new certificate which contains the cryptographic keys signed by the certificate authority on the node joining the cluster.

Note

If you are configuring the node address using an IP address then ensure dns A records have been created.

NTP is recommended to ensure the clocks are synchronised for certificate times.

Clustering tab

Note

If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

SAML2 tab

You can configure Osirium PAM to use a third-party identity provider (IdP) using Security Assertion Markup Language v2.0 (SAML2) to authenticate user logon credentials.

Setting up this configuration will enable Osirium PAM, the service provider, to delegate authentication to an external third party, the identity provider (IdP).

When a user logs on, Osirium PAM will request authentication from the identity provider. The identity provider is then responsible for authenticating the user credentials and notifying Osirium PAM. If the authentication has been successful, Osirium PAM will authorise the user and permit access.

The service provider configuration is used to construct the SAML2 metadata which will allow the Osirium PAM service to communicate and interact with the IdP.

Configuring SAML2

To configure:

  1. Click on the Edit pencil next to Service provider configuration.

  2. Witin the Edit entry window enter the details as follows

    Note

    The details entered will depend upon the Identity Provider that you will be delegating authentication to. Click here for instructions for configuring Osirium PAM SAML2 Authentication with Azure.

    Also click here for details on the limitations and troubleshooting when using Microsoft Azure.

    SAML2 configure service provider

    Heading Description
    Entity Id Enter a name or url to identify the service provider. This id will be used when configuring the IdP.
    Assertion consumer service URL The Assertion Consumer Service URL is the FQDN address where the SAML Assertion is HTTP POSTed by the users browser.

    This could be the PAM Server or a PAM UI instance but it must be accessible by the user’s browser.

    Username attribute/claim Default is samlNameId. This name needs to match the name of the attribute/claim once configured on your IdP.

    This is required for Osirium PAM to authorise the user once the IdP has authenticated the user. The username extracted from the SAML Assertion will be used to match an existing local user with the same username within Osiruim PAM user list.

    NOTE: As Osirium PAM does not permit the ‘@’ character in usernames if the value is an e-mail address the portion before the ‘@’ is extracted and used.

    Require assertion encryption Requires the Identity Provider to encrypt the whole SAML Assertion.
    Require signed messages Requires the Identity Provider to sign SAML messages.
    Require NameId encryption Requires the Identity Provider to encrypt the NameId element of the SAML Assertion.
    Organisation name Enter your organisation details that will be used by the IdP to identify you.
    Organisation site Enter your organisation details that will be used by the IdP to identify you.
    Support Name Enter the name of the support person/group that will manage IdP related issues.
    Support e-mail E-mail address of the support person/group that will manage IdP related issues.
  3. Click SAVE.

  4. Click DOWNLOAD SERVICE METADATA. This file is required by the IdP to construct the SAML2 metadata.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

  5. Once you have configured your IdP, you will need to upload the signing certificate to complete the configuration in Osirium PAM. This will then allow the Osirium PAM service to communicate and interact with the IdP to authenticate users with an Auth type set to SAML2.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

    For instructions on configuring Osirium PAM SAML2 Authentication within Microsoft Azure click here.

SAML2 with clustering

Osirium PAM cluster nodes share a certificate and private key for SAML, which is generated at installation time on the cluster Leader, so that SAML Assertions can be encrypted by the IdP and decrypted by any receiving node.

When configured, the Assertion consumer service URL is shared between nodes. However, if no Assertion consumer service URL is configured then the fall-back behaviour is for each node to use its cluster public address. It is recommended to only change the Assertion consumer service URL when using standalone PAM UI instances or proxies.

The Entity Id is also shared by cluster nodes; in essence the cluster is the SAML service.

Download Service Metadata

Click the DOWNLOAD SERVICE METADATA button to download the Osirium PAM service SAML metadata file that will be required when configuring the IdP.

If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

Upload Identity Provider Metadata

Click the UPLOAD IDP METADATA to upload the IdP metadata file that will be required by Osirium PAM to communicate and interact with the IdP.

If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

System settings tab

The following can be configured on the System settings tab:

System settings tab

Support account

The support account (osirium_support) is a PAM Server Ubuntu server administrative account. It is created during the installation of the PAM Server. This account is useful if you are unable to access the Admin Interface and want to troubleshoot issues through the command line.

The default setting is disabled and no password set.

Note

It should always be enabled and a password set when upgrading or carrying out a system restore.

To enable:

  1. Click on the Edit pencil next to Support account (User name: osirium_support).

  2. Check the Enabled box and type in a password.

    Support Acc enable window

  3. Click SAVE.

    Support Acc Set

PAM Server local password policy

If you are creating users that will be authenticated by Osirium PAM this setting will allow you to create and set a password policy to implement a greater complexity and stronger authentication on the passwords set for user accounts. Only passwords that meet the password policy will be allowed ensuring all passwords met the required criteria.

Note

This will not apply to externally authenticated Active Directory or RADIUS users.

To configure:

  1. To the right of PAM Server local password policy, click the Edit pencil icon.

    Local Password policy

  2. Set the appropriate policy using the fields described below.

    Password policy window

    Field name Description
    Invalid Characters Enter any characters you don't want used in a password.
    Any password containing these characters will be disallowed.
    Minimum Length The password must be equal to or greater than the minimum length set.
    Maximum Length The password must be less than or equal to the maximum length set.
    Require Letters and Numbers If true (tickbox checked), the password must contain both letters and numbers.
    Password Retries The user will be locked if an incorrect password is entered this many times.
    If set to 0, the user will be allowed infinite retries to enter their password.
    Unlock time
    (In Seconds)
    Time the user will have to wait before the account is automatically unlocked.
    Maximum Password Age
    (In Days)
    From the moment a password is changed, it starts aging. When the maximum age is exceeded, the user will be forced to change their password at next logon.

    If set to 0, the password will not expire.

    Password Must Differ From The Last N When the user sets a new password, it must be different from the last N passwords they have used.

    If left as the default 0, the password does not have to differ from any passwords used before.

  3. Click SAVE.

Active Directory password generation complexity

The password complexity of an Active Directory account managed by Osirium PAM can be set here. You can set the length of the password as well as any special characters that can used within the password.

To update the complexity settings:

  1. Click on the Edit pencil icon.

  2. Set the password length and special characters that should be used when setting a password for an Active Directory managed account.

  3. Click SAVE.

Enable pass-through

The pass-through feature allows users to single sign-on to devices using personalised accounts that preexist on the device. When a user logs onto the UI their credentials (username/password) are cached and encrypted to an instance on the PAM Server.

Then, when the user connects to a device which has been configured to use an access level of pass-through (see Creating a New Profile), the cached credentials are used to single sign-on to the device.

Note

Only the following authentication types can be used with pass-through:
- Active Directory: The password is cached.
- Active Directory then RADIUS: only the password is cached (not token).
- Active Directory then TOTP: only the password is cached (not token).

Cached pass-through credentials are saved as case sensitive. To ensure successful pass-through the username/password must match the users pre-existing device account (username/password).

When a user logs out or disconnects from the UI, their credentials are removed from the cache. Also, if the PAM Server is restarted (specifically the userauth service) all cached pass-through credentials are removed.

The pass-through feature is Enabled as default which means all user credentials will be cached when logged onto PAM.

If this feature is Disabled at anytime, profiles that have devices with pass-through access levels will show as greyed out in the UI for all user in the profile.

To change the setting:

  1. Click on the Edit pencil icon.

  2. Check or uncheck the Enabled box as per the setting required.

  3. Click SAVE.

Debug task logging

If you want more detailed debug messages from your PAM Server you can turn on the debug logging level. It can be helpful and provide more clues if you come across issues.

When enabled, the debug logging messages will be available on the System configuration > Logs page on the Admin Interface.

To enable:

  1. Click on the Edit pencil icon.

  2. Check the Enabled box.

  3. Click SAVE.

Debug API logging

If you require more detailed messaging and logging of the API function then you can turn on the debug level for the API. It can be helpful and provide more clues if you come across issues.

To enable:

  1. Click on the Edit pencil icon.

  2. Check the Enabled box.

  3. Click SAVE.

Debug UI logging

If you require more detailed messaging and logging of the UI you can turn on the debug level for the UI. It can be helpful and provide more clues if you come across issues.

To enable:

  1. Click on the Edit pencil icon.

  2. Check the Enabled box.

  3. Click SAVE.

External filestore

We recommend that you attach an external filestore to avoid disk space issues and to hold some of the larger files. This will ensure that the internal disk does not fill up too quickly allowing for a smoother running of system services and tasks.

Enabling and attaching a filestore will allow your PAM Server to save the following files directly onto the attached filestore:

  • Backups.
  • Techouts.
  • Session recordings.
  • Session archives if configured.

Note

If your virtual appliance is deployed as Generation 1 the external disk needs to be mounted to the IDE controller.

If your virtual appliance is deployed as Generation 2 the external disk needs to be mounted to the SCSI controller.

To add an external filestore:

  1. Firstly, you will need to add a virtual hard drive to your PAM Server which should be done in accordance with your company policy.

  2. Click on the Edit pencil icon.

  3. Check the Enabled box.

  4. Click SAVE. Osirium PAM will now partition, format and map to the external drive. Once successfully mapped, the disk usage bar on the Manage files page will be updated and display both the internal and external disks.

    From here you can monitor your disk status to manage your storage levels and take precautions if you disk space is getting full.

    Note

    The external filestore may take a little time to appear on Admin Interface, depending on the size of the disk that is being configured.

    External disk on Manage files page

Scheduled session archive

If you are session recording all your users on a daily basis then you will be creating a lot of recorded files on your system. This setting will allow you to manage the recordings being saved and help you with archiving the older session recordings for storage and backup.

Implementing a scheduled archive of session recordings will also allow you to manage disk space on your system or external disk. The schedule is based on the age of the recording and will automatically be archived when they reach the age limit set.

When a scheduled session archive setting has been configured it will:

  • Run the Archive Session task everyday at midnight and archive any UI sessions that are older than the age (days) set.

    When a session has been archived it will be marked as archived on the Device access report page on the PAM UI sessions section.

  • Store the archived file in the filestore. Will default to the external filestore if one has been configured.

  • List the archived session file on the Manage files page from where it can be downloaded.

  • Copy the archived file to a remote backup server if one has been configured. See Remote Backup Server Configuration.

  • Delete the session recordings from the Osirium PAM filestore and database once successfully archived.

To configure:

  1. Click on the Edit pencil icon.

    Scheduled session archive

  2. Check the Enabled box.

    Session archive edit Window

  3. In the Maximum session age (days) field, type in the number of days before a session is to be archived.

  4. Click SAVE.

    Session archive configured

Scheduled file removal

The number of device files created can grow rapidly so to help easily manage older files you may want to configure a schedule that will automatically delete files when they reach a certain age. This will also help you manage your disk space, ensuring stored files don't fill up your disk space which could slow your system down.

The deletion of files will be based on their age. But before you enable this schedule make sure you have any backup requirements in place, especially if you need to archive the files before they are deleted.

To configure:

  1. Click on the Edit pencil icon.

    Scheduled file removal

  2. Check the Enabled box.

    File removal edit Window

  3. In the Maximum file age (days) field, type in the number of days before a file is deleted.

  4. Click SAVE.

    Scheduled file removal

    The File removal task is run everyday at midnight and will now remove any files that are older than the age (days) set.

User group synchronisation interval

This setting should be used to create an automated synchronisation between the user groups in Osirium PAM linked to user groups on your Active Directory. This will help ensure that the Active Directory users within the group are kept up to date and any changes (removed/added users, password changes etc) are reflected in Osirium PAM.

Define in minutes how often you want Osirium PAM to synchronise user groups with your Active Directory.

To configure:

  1. Click on the Edit pencil icon.

  2. The default value is set to 15 minutes. The value must be greater than or equal to 5.

  3. Click SAVE. The User Group Synchronisation task will be run against each Active Directory user group listed on the Manage user groups page and make any necessary updates.

    User group sync log

Active Directory user group sync new user authentication type

This setting should be used to automate the authentication type setting of all new users that are synchronised through an Active Directory user group. See Managing user groups.

To select the authentication type setting that will be applied to new users that are synchronised through an Active Directory group:

  1. Click on the Edit pencil icon.

  2. The external authentication type values that can be set for the synchronised Active Directory user are:

    • RADIUS: this authentication type setting means that the user will use their RADIUS username to logon. The user doesn't need to enter a password as the existing RADIUS user password will be used to authenticate them into Osirium PAM.
    • SAML2: this authentication type setting means that the user will use their Active Directory username/password to logon . Osirium PAM will then request authentication from the identity provider. The identity provider is then responsible for authenticating the user credentials and notifying Osirium PAM. If the authentication has been successful, Osirium PAM will authorise the user and permit access.
    • Active Directory: this authentication type setting means that the user will use their Active Directory username/password to log on. Osirium PAM will consult with the Active Directory to verify the user logon before logging the user on.
    • Active Directory then TOTP: this authentication type requires a multi-factor login meaning a user will have to enter their Active Directory username/password as well as generate and enter a TOTP (Time-based One Time Password) to log on.
    • Active Directory then RADIUS: this authentication type requires a multi-factor login meaning a user will have to enter their Active Directory username/password as well as a RADIUS token to log on.
  3. Click SAVE.

Backup breakglass passphrase

This setting allows you to configure a passphrase to protect the KeePass file containing your device credentials. A passphrase must be configured in order for the KeePass file to be stored in the archived backup file that is created when you run a backup task on Osirium PAM.

To set a backup breakglass passphrase:

  1. Click on the Edit pencil icon. The Edit entry window opens.

  2. In the Passphrase field, type a passphrase.

  3. Click SAVE. The backup breakglass passphrase is applied.

Client settings tab

The following can be configured on the Client settings tab:

Client Settings tab

Client colour

The colour option allows you to specify a colour for the UI. This is useful when you want to distinguish the connections made to different Osirium PAM.

To change the colour:

  1. Click on the Edit pencil icon.

  2. Enter a HEX colour code; or

    Click the icon to use the Select a Color window:

    Client picker window

  3. Click SAVE. Now when a user logs onto the UI, the browser tab icon will contain the colour configured.

    Favicon

Connection settings tab

The following can be configured on the Connection settings tab:

Connection Settings tab

Device group separation identifier

Device group separation allows you to restrict access to device tools from multiple customers, to ensure that workstations don’t become a bridge point for data.

Before creating a group separation identifier, you need to create a meta-column entry of type Device. See Configure meta-info.

The meta-column values define the groups that are available. When a user connects to device tools through the UI, the group separation identifier controls which sets of device tools they can use at the same time.

To configure the group separation identifier:

  1. Click on the Edit pencil icon.

  2. Choose the appropriate option from the drop-down box.

    DGS Identifier edit window

  3. Click SAVE. Now the values in the device type meta-column will determine which device tools can be accessed after the first device tool connection has been made.

    For example:

    Device Meta-column value
    Device A Group 1
    Device B Group 1
    Device C Group 2
    Device D Group 2

    From the UI, if a user opens a tool from Device A which belongs to Group 1, the tool opens successfully. Then, whilst Device A is open, if the user opens a tool from Device B, then this will be allowed.

    In the default block mode, if the user has a device tool from Group 1 open and then tries to open a tool on Device C which belongs to Group 2, then the user will be unable to access the tool and an error message will be shown:

    Osirium proxy separation error

    Only when all Group 1 connections have been closed can the user open device connections from Group 2.

    Note

    This only applies to device tools, NOT to device tasks. Tasks can still be run at any time for any device.

Device group separation behaviour

Device group separation behaviour can be changed from the default Block setting (meaning devices from multiple groups can't be accessed at the same time) to a Warn setting. Selecting Warn means that a warning message appears when a user tries to connect to two devices from different groups, but the user can still continue to access both devices.

To configure the separation:

  1. Click on the Edit pencil icon.

  2. Select the Warn value from the drop-down box.

    DGS behaviour edit window

  3. Click SAVE.

    Now when a user opens up two connections to a device in different device separation groups, they won't be blocked but will be presented with a warning:

    DGS behaviour warning message

Network settings tab

The Network settings tab allows you to configure the following settings on Osirium PAM:

Network Settings tab

DNS servers

To set DNS servers:

  1. Click on the Edit pencil icon.

    DNS servers

  2. Set the primary, secondary and tertiary servers as required.

    DNS Edit entry

  3. Click SAVE.

DNS search suffix

Adding DNS search suffix entries will help resolve IP addresses when adding new devices.

To add a DNS search suffix:

  1. Click on the Add icon icon next to DNS Suffixes. DNS search suffix 1 will be added.

  2. Fill in the suffix:

    Edit entry

  3. Click SAVE.

NTP server

To set an NTP server:

  1. Click on the Add icon icon next to NTP server. NTP server 1 will be added.

  2. Click the Edit pencil icon for NTP server 1.

  3. Enter the IP Address or pool of the NTP servers.

    NTP server entry example

  4. Click SAVE.

    Tip

    You can add multiple NTP servers by clicking the Add icon icon several times.

Syslog server

Osirium PAM can send copies of its syslog messages to as many external syslog servers as you wish.

To add an external Syslog server:

  1. Click on the Add icon next to Syslog server. Syslog server 1 will be added.

    Syslog server add

  2. Click the Edit pencil icon for Syslog server 1.

  3. Enter the IP Address of the Syslog server Osirium PAM will be communicating with.

    Syslog edit entry

  4. Click SAVE.

Use CEF formatted syslog messages

Enabling this setting allows Osirium PAM to use the CEF formatting standard when displaying syslog messages.

To enable:

  1. Click on the Edit pencil icon.

  2. Check the Enabled box.

    Edit entry

  3. Click SAVE.

Logstash server

Enter your logstash server details to allow Osirium PAM to push events to your logstash server.

To add a logstash server:

  1. Click on the Edit pencil icon.

    Logstash server

  2. Fill in the details.

    Logstash edit entry

    Field name Description
    Host: Enter the host name or IP address of the logstash server.
    Port Enter the port number assigned to the logstash server.
    Unchecked box Enabled Enabling will allow Osirium PAM to connect to the logstash server.
  3. Click SAVE.

SMTP configuration

Configure the SMTP to allow emails to be sent from the PAM Server. SMTP is required if you want to setup Email subscriptions, see Managing Email Subscriptions.

Note

The SMTP server should support TLS (Transport Layer Security) otherwise there is a risk that a password will be sent in plain text.

To configure SMTP:

  1. Click on the Edit pencil icon.

    SMTP config

  2. Fill in the details.

    SMTP config edit entry

    Field name Description
    SMTP Server IP address of the SMTP server.
    Port Enter the port number assigned to the SMTP server.
    Username Enter the username that will be used to authenticate onto the SMTP server.
    Password Enter the password that will be used to authenticate onto the SMTP server.
    From Email Address Used to set the Reply-To and Sender headers user@domain of the outbound email.
    From name Used to set a text description in the Reply-To and Sender headers of the outbound email.
    SMTP Server Debug This allows email server transaction messages to be directed to the mail.log file
    Force STARTTLS If checked, will force Osirium PAM to use STARTTLS. If the remote server does not support STARTTLS then an error will be logged in mail.log file.
  3. Click SAVE. All SuperAdmins will receive an email to confirm that email has been successfully configured.

Send emails in plain text format

By default all emails sent from Osirium PAM are in HTML format. Osirium PAM can be configured to send all emails in plain text.

To configure all emails to be sent in plain text format:

  1. Click on the Edit pencil icon.

    Send emails in plain text format

  2. Check the Enabled box.

    Edit entry

  3. Click SAVE.

SNMP configuration

Configure SNMP to allow Osirium PAM to be monitored on your network.

To configure SNMP:

  1. Click on the Edit pencil icon.

    SNMP Config

  2. Fill in the details.

    SNMP config edit entry

    Field name Description
    Read only community string Enter a valid read-only community string to allow SNMP requests to be sent.
    System location Enter the location of Osirium PAM.
    System contact Enter a valid contact name for Osirium PAM.
  3. Click SAVE.

Combine password and token code for RADIUS-only users

Enabling this setting combines the password and token code. This only applies to RADIUS only users.

When users login, they will be presented with: a Password field; and a Token code field. If the user is only configured for RADIUS authentication (i.e. they are not using Local then RADIUS or Active Directory then RADIUS, see Manage users, then the way in which the Password and Token code fields are presented to the RADIUS server can be controlled here.

By default this setting is ENABLED (checkbox ticked) which means the Password and Token code fields will be joined together and sent as one RADIUS Access-Request. For example: With a Password of p4ssw0rd and a Token code of 12345, the RADIUS Access-Request will contain the combined User-Password of p4ssw0rd12345.

This setting will also be useful if:

  • Your RADIUS server is expecting the two parts concatenated e.g. an RSA RADIUS server expecting the user's password and token code in the same Access-Request.

  • Users only enter a secret. Not all RADIUS configurations will require a user to authenticate using both a password and a token code. Users may also not be familiar with the authentication mechanism and therefore they will either think of their one secret as a password or a dynamic token. By enabling this setting, the user can enter their one secret into either the Password or Token code field and the RADIUS server will still be sent the correct Access-Request.

Not combining the fields will be necessary if it is known that the RADIUS server will issue a follow-up Access-Challenge.

DISABLING (checkbox unticked) this setting will mean that only the Password will be sent in the initial RADIUS Access-Request. If the RADIUS server replies with Access-Challenge, then the Token code in the subsequent RADIUS Access-Request.

Note

Microsoft Azure Multi-factor authentication (MFA)

It is possible to configure RADIUS access to Azure MFA by setting up a Network Policy Server. With Azure MFA, users can choose whether they set up push-based or token-based MFA.

For token-based MFA, a Network Policy Server will issue a follow-up Access-Challenge, we therefore recommend DISABLING (checkbox unticked) the Combine password and token for RADIUS-only users setting to provide compatibility for both push-based and token-based users.

To enable:

  1. Click on the Edit pencil icon.

  2. Check the Enabled box.

    Edit entry

  3. Click SAVE.

RADIUS configuration

For Osirium PAM users to be authenticated through RADIUS, configure the RADIUS settings.

To configure Radius:

  1. Click on the Add icon next to RADIUS configuration. RADIUS configuration 1 will be added.

    Radius config

  2. Click the Edit pencil icon for RADIUS configuration 1. Fill in the following details:

    RADIUS config edit entry

    Field name Description
    Address Enter the IP Address of the RADIUS server.
    Port Enter the port number assigned to the RADIUS server service.
    Secret Enter the RADIUS Secret that will be used to authenticate onto the RADIUS server.
    Attempts Enter the number of times you want a user to attempt the connection before it fails.
    Timeout Enter the minutes allowed before the connection is timed out.
  3. Click SAVE.

Remote backup and archive server

If the remote backup and archive server is configured, Osirium PAM will automatically push Osirium PAM backups to the specified server at the end of the backup task. If session recording is enabled, session recording archives will also be pushed automatically at the end of the archive task.

Supported protocols are SCP, SFTP and SMB.

To setup remote backup:

  1. Click on the Edit pencil icon.

    Remote Backup and archive server

  2. Within the Edit entry window, fill in the following details:

    Remote Backup and archive server edit entry

    Field name Description
    Server type Select the method to be used to copy the backup file.
    Options available from the drop-dwon listbox are:
    SMB, SCP and SFTP.

    NOTE If None is selected from the drop-down list then the settings will be saved but the backup file will not be copied to the remote server.

    Server IP address Enter the IP address of the remote backup server.
    Port (SMB=445, SCP=22, SFTP=22) Enter the port number for the Server type selected.
    Path or share name Enter the path where the file will be saved to on the remote backup server.
    Username Enter a valid username with access to the remote backup server. The user must have the correct permission to write to the path specified.
    Password Enter a valid password.
  3. Click SAVE.

RDP keepalive enabled

Enabling this setting prevents the screensaver from being activated.

To enable:

  1. Click on the Edit pencil icon.

  2. Check the Enabled box.

    Edit entry

  3. Click SAVE.

ServiceNow ticket integration configuration

ServiceNow ticket integration in Osirium PAM allows tickets entered in the Change Management Tool to be validated against an existing ServiceNow configuration management database (CMDB), providing the following benefits.

  • Accountability: ability to see when, why and how tickets are allocated.
  • Security: attackers require a valid change ticket on top of privileged credentials.

Prerequisites

  • Osirium PAM must be configured as an OAuth provider on the ServiceNow CMDB. When configured, a Client ID and Client Secret are created. Make a note of these credentials as they will be required to identify Osirium PAM to ServiceNow.

  • Obtain a ServiceNow refresh token by running the relevant command on your workstation, as detailed in the ServiceNow documentation. The client ID and client secret created above, as well as the ServiceNow CMDB URL, are required, as per the example below.

    Example command:

    $ curl -d "grant_type=password&client_id=be3aeb583ace210011c15b24a43e25d8 &client_secret=client_password &username=admin&password=admin" https://instancename.service-now.com/oauth_token.do

    Make a note of the obtained refresh token.

    Note

    The refresh token has a lifespan designated in ServiceNow. When the refresh token expires, Osirium PAM automatically generates a new token.

To integrate ServiceNow:

  1. On the left-hand menu, under System, click System configuration. The System configuration page appears.

  2. Click the Network settings tab.

  3. On the table, click the Edit pencil icon to the right of ServiceNow Ticket integration configuration.

    ServiceNow config

    The Edit entry window appears.

    ServiceNow edit entry

  4. Within the Edit entry window, provide the following details to allow ServiceNow the integration:

    Field name Description
    Host URL of the ServiceNow CMDB.
    Client ID Client ID generated when Osirium PAM was configured as an OAuth provider.
    Client Secret Client secret generated when Osirium PAM was configured as an OAuth provider.
    ServiceNow Instance Refresh Token Refresh token obtained when Osirium PAM was configured as an OAuth provider.
    Emergency Ticket (blank to disable) In the event that an incident or change ticket number does not exist on the ServiceNow CMDB, or if you are unable to access the ServiceNow CMDB, you can provide an emergency ticket. Osirium PAM does not check the emergency ticket against ServiceNow.

    NOTE This feature should only be used in an emergency and should otherwise be left blank.

    Unchecked Enabled By default, ServiceNow integration is disabled. Select the checkbox to enable ServiceNow integration.
  5. Click SAVE. The ServiceNow integration details are added to the table.

Mesh tab

Info

In v7.x a Mesh backup can only be used to restore the leader onto a new PAM Server. All other PAM Servers in the cluster will have to be manually re-added. For this reason, we strongly recommend that VM level backups are performed on all PAM Servers.

Further information regarding backing up and restoring a PAM Cluster can be found here.

The Mesh mechanism will allow an Active virtual appliance primary to push a copy of its backup file to a Mesh secondary virtual appliance. The Mesh secondary virtual appliance does not contain any live configurations. A public key is used between the Active primary virtual appliance and the Mesh secondary virtual appliance to validate the mesh connection.

The stored backup file on the Mesh secondary virtual appliance can then used to restore an Active primary virtual appliance in a disaster recovery situation.

See How to: Restore PAM Server using a Mesh backup.

Important

When you build a mesh or upgrade a mesh server:

  • Ensure you don't delete or move the install files that are in /data/kits/latest/ as these are required for the restore process to work.

  • Ensure that the DNS servers are configured the same on the primary and secondary virtual appliances. This will ensure that a restored server is able to successfully resolve devices.

Mesh tab

To setup:

  1. Within the Active primary virtual appliance, click on the Mesh tab within System Configuration.

  2. Click the Edit pencil icon for Outbound Mesh Connection 1.

    Mesh outbound edit entry

    Fill in the following details:

    Field name Description
    IP Address IP address of the Mesh secondary VM where the backup will be stored.
    Push Backups Check to enable. This will allow the backup to be copied to the Mesh secondary VM.
  3. Click SAVE.

  4. Now click on the Public keyand copy.

  5. Log onto the Mesh secondary VM and open up the Admin Interface.

  6. Click System Configuration in the left-hand menu.

  7. Within the System configuration window, click on the Mesh tab.

  8. Click the Edit pencil icon for Inbound Mesh Connection 1.

    Mesh inbound

  9. Enter the API Key copied from the Active primary VM.

    Mesh inbound edit entry

  10. Click SAVE.

    Now, an outbound connection can be made from the Active primary VM to the Mesh secondary VM. The Mesh secondary VM will now accept file transfers from the Active primary VM.

  11. Now you need to create a profile to run the backup task.

    Create a profile assigning the Active primary as the Device and adding the Backup task. To set the task to run on a scheduled basis select the required Schedule.

    Once the scheduled backup has been created, it is automatically transfered to the Mesh secondary VM using SCP file transfer.

    Note

    Any Osirium PAM backup files created through manual execution will also be pushed to the Mesh secondary VM.